Fall World 2014

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 27, Issue 3

Full Contents Now Available!

Seven Steps to Identifying Private and Public Interdependencies

Public and private interdependencies have always been an important focus of PPBI! This column hopefully gives you an idea you can put into practice.

So first, let’s define what we mean by interdependencies. Interdependencies are relationships that encompass primarily outside entities, both public agencies and private companies, which can affect your ability to recover from an outage and conduct business.

Simply stated, interdependencies require that companies not only focus on their own individual recovery plans, but they must also consider external influences that can significantly impact their ability to recover in a timely manner, or possibly recover at all!

To address the issue of understanding interdependencies, we have developed a seven-step approach that will help you create an awareness of the interdependencies that affect your organization’s business continuity planning and its ability to recover in a timely manner. It can be used as an aid in conducting an interdependencies assessment within your organization. The process of conducting an interdependencies assessment, and the resulting awareness and information will help you:

  • Identify the potential impact of various external infrastructure and business disruptions on your organization.
  • Identify the impact of the interdependencies on your organization’s recovery times and points.
  • Improve the awareness of the various reliance’s you have with, and between private and public organizations.
  • Determine potential steps and actions to mitigate or lessen the impacts, on your organization, of outages among the interdependent organizations.
  • Lay the foundation for continual evaluation of external interdependencies.

The better you understand interdependencies, the more prepared you will be to respond to them. You will be able to develop relationships with public agencies that strengthen your recovery capabilities and reduce the need for inefficient interaction and potential friction when problems arise. You will also better understand the impact on your ability to operate or to recover, based on the recovery capability of other companies or businesses with whom you transact business or upon whom you rely.

The steps in identifying interdependencies include:

  1. Creating awareness of the Interdependencies issue within your organization
  2. Defining a scenario and determining the geographic area that should be considered
  3. Identifying public agency interdependencies and impacts
  4. Identifying private sector business interdependencies and impacts
  5. Prioritizing public and private interdependencies for assessment
  6. Reviewing the scenarios and the interdependencies that might occur
  7. Taking corrective/preventative steps to lesson the impact of interdependencies

Step 1. Raising Awareness and Preparing for the Workshop

The first step in the Interdependencies process is to create a sense of awareness to the issue of interdependencies.

Spend some time researching private and public partnerships and sharing that information with other in your organization. Great sources to research are the FBI and DHS supported InfraGard organization www.infragard.net, Michigan States’ Critical Incident Protocol site www.cip.msu.edu, groups like ChicagoFirst www.chicagofirst.org, The National Council for Public-Private Partnerships www.ncppp.org and of course Private and Public Businesses Inc. www.ppbi.org.

In addition, you may choose to go out and meet with external organizations you identify, both to understand how they would react to an outage, validating or mitigating your concerns, as well as to help them understand your plans and requirements.

Step 2. Define A Scenario

This step will help you understand the scope of potential interdependencies, based on the types of disasters that may strike. Remember that any scenario must be one that impacts more than just your organization. Hence, an equipment failure, fire, flood, power outage or other localized problem would probably not result in an interdependencies concern.

To determine how interdependencies would impact your organization, the infrastructure disruption under consideration would probably be the result of a number of different scenarios, such as:

  • A natural disaster, of regional proportions, such as a flood, tornado, hurricane, ice or snow storm
  • A terrorist event
  • A man-made event, such as an accident, malfunction, or deliberate disruption, which might affect a single infrastructure, such as electric, telecommunications, or water, or a single building

When you think about the scenario, make sure it is one that would not only impact your organization, but one that would involve public agencies and other local businesses, so that the interdependencies can be evaluated.

This scenario should also be one that external groups would acknowledge if you elect to involve them in discussion at some point.

Step 3. Identify the Public Sector Interdependencies

Public agency interdependencies are those that encompass outside public agencies, which can affect your ability to recover from a disruption and conduct business. Typical issues that arise with public agency interdependencies include:

  • Unavailable utility services
  • Denied access to your building
  • Transportation restrictions
  • Unavailability of medical services

To understand public interdependencies, you should first identify and list all external interdependencies by type, including:

  1. Emergency management agencies
  2. Federal government agencies
  3. State government agencies
  4. Local government agencies
  5. Utilities – electric, gas, water, telecommunications
  6. Public services – police, fire, public safety, emergency management & transportation

Your discussion should cover the following questions:

  1. Why is there an interdependency concern?
  2. How would that interdependency issue impact your organization?
  3. Who can you speak or meet with to discuss this?
  4. What action should you take?

Step 4. Identify Private Sector (Business) Interdependencies

Private sector interdependencies are those that encompass outside companies that can affect your ability to recover from a business disruption and conduct business. These might be companies that you exchange information with, count on to conduct business, buy from or sell to or rely upon in some other way.

To address this, you should identify and list all external business interdependencies by type, including:

  1. Customers
  2. Suppliers
  3. Trade associations, if applicable
  4. Business-critical equipment and facilities vendors
  5. IT and facilities service providers and contractors

Following the identification of the interdependencies, you or others in your organization will probably want to meet with all of some of the businesses to learn more about what impacts could occur and what the effect of them would be.

Your discussion should cover the following questions:

  1. Why is there an interdependency concern?
  2. What is the organization’s overall recovery strategy
    • What is covered
    • What is not covered and why not
  3. What is the recovery time objective by shared application (time to recover and make operational)
  4. What is the recovery point objective by shared application (how current will the data be)
  5. Who is their recovery vendor and primary site if using a shared vendor
  6. What are the major business to business interface points, systems, data feeds
  7. Who is their contact point during a disaster, and how to contact
  8. What major concerns do they have about their recoverability

Step 5. Prioritize the Most Critical Interdependencies

While you may find a number of interdependencies that can impact your organization, it is important to select and address the most critical ones first. Select the six (could be more or less, depending on your decision) interdependencies from both the public group and the private sector group which have the highest potential to disrupt your recovery process.

Considerations for selecting a most critical interdependency include:

  • Potential frequency of disruption
  • Degree of impact
  • Likelihood of resolving the issue

Step 6. Review the Scenarios and Interdependencies that may occur

Now that you have selected the top priority interdependencies, conduct a round-table discussion with your continuity team to discuss each one and determine the actions you should take.

Actions might include:

  • Assigning responsibilities to the team to take ownership of individual interdependencies
  • Meeting with the external organization or agency to better understand what they would do when an outage occurs
  • Share your recovery strategy and plans with the critical interdependency organizations (confidentiality permitting). This is especially important to do with fire, police and local emergency management personnel.
  • Determine a course of action for each interdependency

Step 7. Taking Corrective or Preventative Steps to Lessen the Impact of Interdependencies

As important as it is to identify and resolve interdependencies, it is also important to factor them into your recovery strategy and plans. Consider the following changes or considerations to your continuity program:

  • Modify your business impact analysis process to make sure identification of interdependencies is an ongoing process
  • Ask questions about new critical vendors, suppliers, and partners when establishing contractual agreements
  • Consider that if some interdependencies cannot be mitigated, resulting in that your recovery time and point may be unachievable, requiring either communication with management or a change to your strategy
  • Consider how your spending on continuity and recovery might be impacted by interdependencies. (i.e. Are you spending to achieve a level of recovery that interdependencies might not allow?)

Summary

Conducting an interdependencies assessment is an important and prudent step to take as a part of your overall continuity strategy. Your continuity program and your ability to recover will be significantly improved by addressing this important issue.

John Jackson is an executive vice president at Fusion Risk Management. Jackson brings to Fusion more than 30 years experience and is widely regarded as an early and current visionary leader in disaster recovery and business continuity. Jackson serves on the DRJ Executive Council and PPBI Board of Directors.